Every shared hosting provider has this risk. Critical projects should be using dedicated or VPS hosting, preferably with encrypted filesystems too as even datacenter techs can fall victim to social engineering.

I'm pretty surprised that they got away with unsigned updates and shared hosting as long as they did. I wonder how many similar popular projects are out there on dodgy infrastructure.

Maybe the hosting provider is currently undergoing an audit or implementing the changes?

I expect to know it one day, but it may be too early to provide the name now.

Lawsuits are expensive and I'd think that name and shaming would open npp up to one